Can the government force you to decrypt private data?

Last month, a federal judge in Denver ordered a suspect to provide the government with the unencrypted contents of a computer she shared with her family. The order was put off while lawyers took the case to an appeals court, arguing the order violates Fifth Amendment protections against self-incrimination. Now, however, it looks as though the defendant will either have to decrypt her laptop or face contempt of court charges. The 10th U.S. Circuit Court of Appeals has refused to get involved, saying the criminal case has to reach a conclusion before it comes within the appeals’ court jurisdiction. The defendant has until February 27 to hand over her data.

At first glance this might seem to be a case of limited scope, but wait a second: Encryption isn’t just an optional tool computer geeks use to protect stuff on their hard drives. It protects everything from our passwords to our online banking sessions to everything we store in the cloud — like email, documents, receipts, and even digital goods. How did we get here? Can the government really order people to decrypt their data?

The case

The case involves Ramona Fricosu and her ex-husband Scott Whatcott, who were indicted in 2010 on bank fraud charges relating to a complicated mortgage scam. According to prosecutors, the pair offered to pay off the mortgages of homeowners desperate to get out from under upside-down situations in the wake of the housing bubble collapse. However, instead of paying off the mortgages and taking possession, they instead filed fraudulent paperwork with courts to obtain titles to the homes, then moved to sell them without paying the outstanding mortgage.

In May of 2010, the government executed search warrants at the residence Fricosu was sharing with her mother and two children. (Whatcott had also previously lived there, but at that point the couple was divorced and he was incarcerated.) Among the items seized by the government were six computers — three desktops and three notebooks, including a Toshiba Satellite M305 notebook. The government obtained a separate warrant to search the Toshiba M305 computer, but discovered the content was encrypted using PGP Desktop whole-disk encryption. The screen of the Toshiba was damaged; investigators had to hook up an external monitor.

The next day, Whatcott telephoned Fricosu from Colorado’s Four Mile Correctional Center. The conversation was recorded. In it, Fricosu says investigators had asked her for passwords to the computer, and that she didn’t answer, saying her lawyer had advised her she was not obligated to give passwords to investigators. She does, however, repeatedly refer to the notebook as her own computer and implies she knows the password to access it.

So far, authorities have not been able to break the computer’s encryption and access any data on the machine.

Rationale for decryption

Forcing a defendant to reveal a password or provide a decrypted version of data stored on a computer would seem to fly in the face of self-incrimination protections offered by the Fifth Amendment. However, there are several nuances and exceptions to Fifth Amendement protection. In issuing his order that Fricosu decrypt the notebook, U.S. District Judge Robert Blackburn indicated he believed the Fricosu case falls outside the lines, although he does note there’s not much case law to go on.

The Fifth Amendment specifically provides that no person can be compelled to bear witness against himself. However, subsequent Supreme Court rulings have constrained that protection to apply only to compelled testimonial communications — typically written or verbal communications before a court. There is also case law that acknowledges that even if a document is not protected by Fifth Amendment privilege, the act of producing the document might be: If prosecutors only become aware of a document on the basis of requiring a defendant to produce it, that would amount to self-incrimination.

Under Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his or her mind: There is, after all, a right to remain silent. Therefore, Fricosu cannot be compelled to produce the password.

However, Judge Blackburn finds that the government has reasonably established the Toshiba notebook belongs to Fricosu or was primarily used by her, and that the government “knows of the existence and location of the computer’s files.” His finding rests strongly on the recorded telephone conversation between Whatcott and Fricosu. Therefore, Blackburn concludes compelling Fricosu to provide decrypted versions of the computer’s contents — not the password itself — is not protected by the production exception. The judge also finds the search warrant that would cover the contents of the computer is valid.

Judge Blackburn has granted Fricosu limited immunity from the government using the act of producing the decrypted data against her. In other words, if the decrypted information contains something unexpected or even unrelated, the government would not be able to pursue prosecution based on the fact Fricosu was able to decrypt it.

What about the Fifth Amendment?

Does Fricosu’s case really fall outside the protections of the Fifth Amendment? Fricosu’s lawyer doesn’t think so, and neither do groups like the Electronic Frontier Foundation, which earlier this year filed an amicus (friend-of-the-court) brief (PDF) on Fricosu’s behalf.

The basic argument that Fricosu’s Fifth Amendment rights protect her from having to produce an unencrypted of its contents boils down to what the government does and doesn’t already know about those contents. Judge BlackBurn finds that the government has established that the contents of the computer are relevant to the case, and government attorneys argued that being required to provide access is no different than requiring suspects to sign authorization to enable investigators to probe overseas bank accounts and safety deposit boxes.

However, in instances where the government is able to compel defendants to disclose documents or accounts, the government has already become aware of the existence of those items through a third party. In Fricosu’s case, an argument could be made that the government has no idea what content it will find on the encrypted computer, or where that information might be located on the computer. (The EFF even argued that the government can’t really prove the notebook is the same one that was seized during the search.)

Although Judge Blackburn has granted Fricosu limited immunity to prevent the government from using the act of providing decrypted data against her, immunity does not extend to the data itself. An argument can be made that this limited immunity potentially violates a Supreme Court prohibition against derivative uses of compelled testimony. If the government were to use evidence obtained from the unencrypted laptop against Fricosu, the government might have to prove it obtained (or could have obtained) all that evidence from independent sources rather than solely from Fricosu herself. So far, the government has had no luck digging up the information it believes is on the notebook from other sources, nor have investigators made any progress decrypting the notebook. Nonetheless, Judge Blackburn found “the fact that [the government] does not know the specific content of any specific documents is not a barrier to production.”

Other cases

In his findings, Judge Blackburn notes there aren’t many other cases that parallel the circumstances in the Fricosu case. The most direct precedent seems to involve a border crossing in Vermont in 2006. During a search, an officer opened a computer and (without entering a password) viewed its files, including child pornography. The defendant was arrested and the notebook seized; however, when officers later tried to access the computer it was found to be password-protected. In that case, the defendant was not ordered to produce the password, but to produce an unencrypted version of the “Z” drive where officers had previously seen the material. A key part of that case, however, is that authorities had actually seen the illegal content on the computer. They knew where it was before the defendant was ordered to provide access to the information. In Fricosu’s case, prosecutors just know they have an encrypted computer. They have no independent evidence or testimony as to its contents.

In Washington State back in 2004, former King County sheriffs detective Dan Ring was arrested for improper use of law enforcement databases as well as other criminal charges. Although data found on Ring’s computer detailed some of his interactions with girlfriends, prostitution rings, and escort services in multiple countries, a portion of his hard drive was encrypted. Ring consistently claimed he couldn’t remember the password to the encrypted data, and partly as a result the case against him was dropped three days before it was set to go to trial. Ring retired — with pension — and the encrypted data has never been cracked.

Setting a precedent

In a statement yesterday, Fricosu’s attorney Phillip DuBois noted “It is possible that Ms. Fricosu has no ability to decrypt the computer, because she probably did not set up the encryption on that computer and may not know or remember the password or passphrase,” DuBois said in a statement Tuesday.

Notably, DuBois also defended PGP creator Philip Zimmerman when he was subject to criminal investigation from the U.S. Customs Service, which sought to classify the PGP algorithm as a munition subject to export controls. The case was dropped without indictment in 1996.

If Fricosu can be compelled to provide an unencrypted version of the data stored on the computer, it may set an ominous precedent for modern technology users. Folks who use services like DropBox, Apple’s iCloud, Amazon S3, and a myriad of other services all rely on their data being stored safely in encrypted form. Similarly, hard drives and SSDs with hardware-based encryption are becoming more and more mainstream — particularly with the proliferation of easily lost or stolen mobile devices. High-grade encryption isn’t just a tool for top-grade technophiles anymore: It’s in everyday products, and millions of people rely on it every day. If the government can compel users to produce unencrypted copies of their data — without knowing what that data might be — it could significantly stifle free speech and the freedom of information.